Trouble logging in?If you can't remember your password or are having trouble logging in, you will have to reset your password. If you have trouble resetting your password (for example, if you lost access to the original email address), please do not start posting with a new account, as this is against the forum rules. If you create a temporary account, please contact us right away via Forum Support, and send us any information you can about your original account, such as the account name and any email address that may have been associated with it.

I am wondering this as I received an e-mail yesterday through my hotmail account (which isn't the account I used to register) from that company advertising a mystery shopper job which I thought was just some unsolicited spam until I noticed the URL it asked me to visit (they did mask the last bit with a few x's, but this is what I saw which has been broken to stop anyone clicking on it).

hXXp://www.helionresearch.com/evaluator/r/animesuki

Now I'm not sure if my data was handed to them by this place, or if they crawled the profiles looking for any viable e-mail addresses since the only one they could get from my account was the MSN one (if the latter is the case since user profiles can be viewed by anyone, then it might be a good idea to lock profiles views down to registered users only).

You have the user "HelionResearch" in your list of recent profile visitors (as do I and several other members) so it's a good bet that your theory about profile crawling is correct. Also, you can set your profile to only be viewable by registered users; it's under "Edit Options" in the User CP. Though unfortunately that wouldn't have actually helped in this case since that spam account managed to register and view profiles before being banned.

1. Join a forum (become a registered member)
2. Scrape useful data from as many public profiles as you can
3. Send spam that alludes to the forum, hoping that makes it more believable/likely to be clicked

The MSN Messenger address is a prime target for this, since it's in the form of a valid/working E-mail address. (But with MSN Messenger being phased out in most places, that problem may be going away.)

We'll have to think if there's anything we can do to prevent this, or at least to make it more difficult. But I do thank you for bringing it up, at least so it can be clear that, no, this has nothing to do with the site or its staff, and we certainly do not authorize this use of the Forum Profile data.

Yikes! Well, even when I used to chat, privacy is pretty much the main reason why I've never listed any MSN, ICQ, Yahoo Messenger etc. under my profile. I cringe anytime I see such in any users profile. In this age of cellphone, chatting is dieing a slow death, and even if I want to chat with someone, I would rather PM the person with my info than listing it under my profile.

Perhaps we should just consider disabling the option to add Instant Messaging all together from the user profile, or am I overreacting?

__________________

Eat and sleep!Sig by RRW.Nanatsu no Taizai! Why haven't you watched it?Executive member of the ASS. Ready to flee at the first sign of trouble.

Perhaps we should just consider disabling the option to add Instant Messaging all together from the user profile, or am I overreacting?

Your overreacting as these crawlers can only benefit from IM systems like MSN/WLM where you need the full e-mail address to be able to add someone on that client, so removing those that require that (although since MSN/WLM is being shut down soon, it would most likely be better if the MSN messenger handle part of the instant messaging section in the edit your details part of the use CP was removed even though those people who merge their microsoft and skype accounts could use either as a skype ID once WLM is shut down).

It also looks like the profile visibility option doesn't work since it is set to members only, yet I was able to view my profile without logging in (it looks like that option doesn't cover everything since the rest of the profile that can be viewed without logging in is controlled by the profile privacy section of the user CP as once I'd put my contact details to members only they didn't show if I'm not logged in).

It also looks like the profile visibility option doesn't work since it is set to members only, yet I was able to view my profile without logging in (it looks like that option doesn't cover everything since the rest of the profile that can be viewed without logging in is controlled by the profile privacy section of the user CP as once I'd put my contact details to members only they didn't show if I'm not logged in).

I'm not sure that I quite follow this, but I think "Profile Visibility" just means that the more detailed profile info is hidden. You can view the basic profile no matter what, but it's a question of how many details are shown. So I'm pretty sure, again if I'm understanding correctly, that this is by design.

You could argue it is a bug, but relentlessflame is correct in that it is working as designed. Only the design hasn't been well conveyed and the "bug" is that the options form was misleading to older users (those who joined the forum before the option was added).

When the option was added the default was set to "Members Only", because I thought that was the best option for new accounts being created. Partly it was for privacy and partly to stop spammers from joining and filling their profiles with links in visitor messages. Most bots (and most human spam teams) don't know to change the option because it is bespoke.

However, we didn't want to just change how the forum worked for existing users. Indeed some wanted it to stay as it was. Unfortunately this compromised meant I missed an important detail. The way the form looks if you don't have any value set in the profile option. If the default had been the same as existing users, it wouldn't have been a problem.

The forum software correctly sets default options for new profiles, but not existing ones. So while it said "Members Only", because that is the default, your profile didn't actually have the privacy setting set to anything at all, it was blank. The logic that decided if you can see the page was treating this lack of setting as it always had: "everyone can see this page". Changing the setting and saving would correct this.

I've since fixed the step I missed before that means the profile correctly reflects how the forum will handle the setting regardless of when you registered (i.e. everyone has a profile visibility set explicitly now). I've also changed the display logic to fail-to-private (so if a blank does creep in again it will fail to members only this time).

Oh and I've taken the liberty of changing your settings to Members Only. If you repeat your logged-out viewing test it should block as intended. My apologies for the confusion and any leak of information that may have resulted.